...
|
...
|
@@ -406,6 +406,10 @@ static unsigned int cli_md5sect(fmap_t *map, struct cli_exe_section *s, unsigned
|
406
|
406
|
cli_md5_init(&md5);
|
407
|
407
|
cli_md5_update(&md5, hashme, s->rsz);
|
408
|
408
|
cli_md5_final(digest, &md5);
|
|
409
|
+ cli_dbgmsg("MDB: %u:%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n",
|
|
410
|
+ s->rsz, digest[0], digest[1], digest[2], digest[3], digest[4], digest[5], digest[6],
|
|
411
|
+ digest[7], digest[8], digest[9], digest[10], digest[11], digest[12], digest[13], digest[14],
|
|
412
|
+ digest[15]);
|
409
|
413
|
return 1;
|
410
|
414
|
}
|
411
|
415
|
|
...
|
...
|
@@ -850,13 +854,13 @@ int cli_scanpe(cli_ctx *ctx)
|
850
|
850
|
cli_dbgmsg("------------------------------------\n");
|
851
|
851
|
|
852
|
852
|
if (DETECT_BROKEN_PE && !native && (!(pe_plus?EC32(optional_hdr64.SectionAlignment):EC32(optional_hdr32.SectionAlignment)) || (pe_plus?EC32(optional_hdr64.SectionAlignment):EC32(optional_hdr32.SectionAlignment))%0x1000)) {
|
853
|
|
- cli_dbgmsg("Bad virtual alignemnt\n");
|
|
853
|
+ cli_dbgmsg("Bad virtual alignment\n");
|
854
|
854
|
cli_append_virus(ctx,"Heuristics.Broken.Executable");
|
855
|
855
|
return CL_VIRUS;
|
856
|
856
|
}
|
857
|
857
|
|
858
|
858
|
if (DETECT_BROKEN_PE && !native && (!(pe_plus?EC32(optional_hdr64.FileAlignment):EC32(optional_hdr32.FileAlignment)) || (pe_plus?EC32(optional_hdr64.FileAlignment):EC32(optional_hdr32.FileAlignment))%0x200)) {
|
859
|
|
- cli_dbgmsg("Bad file alignemnt\n");
|
|
859
|
+ cli_dbgmsg("Bad file alignment\n");
|
860
|
860
|
cli_append_virus(ctx, "Heuristics.Broken.Executable");
|
861
|
861
|
return CL_VIRUS;
|
862
|
862
|
}
|
...
|
...
|
@@ -950,10 +954,9 @@ int cli_scanpe(cli_ctx *ctx)
|
950
|
950
|
if(exe_sections[i].chr & 0x80000000)
|
951
|
951
|
cli_dbgmsg("Section's memory is writeable\n");
|
952
|
952
|
|
953
|
|
- cli_dbgmsg("------------------------------------\n");
|
954
|
|
-
|
955
|
953
|
if (DETECT_BROKEN_PE && (!valign || (exe_sections[i].urva % valign))) { /* Bad virtual alignment */
|
956
|
954
|
cli_dbgmsg("VirtualAddress is misaligned\n");
|
|
955
|
+ cli_dbgmsg("------------------------------------\n");
|
957
|
956
|
cli_append_virus(ctx, "Heuristics.Broken.Executable");
|
958
|
957
|
free(section_hdr);
|
959
|
958
|
free(exe_sections);
|
...
|
...
|
@@ -963,6 +966,7 @@ int cli_scanpe(cli_ctx *ctx)
|
963
|
963
|
if (exe_sections[i].rsz) { /* Don't bother with virtual only sections */
|
964
|
964
|
if (exe_sections[i].raw >= fsize) { /* really broken */
|
965
|
965
|
cli_dbgmsg("Broken PE file - Section %d starts beyond the end of file (Offset@ %lu, Total filesize %lu)\n", i, (unsigned long)exe_sections[i].raw, (unsigned long)fsize);
|
|
966
|
+ cli_dbgmsg("------------------------------------\n");
|
966
|
967
|
free(section_hdr);
|
967
|
968
|
free(exe_sections);
|
968
|
969
|
if(DETECT_BROKEN_PE) {
|
...
|
...
|
@@ -984,6 +988,7 @@ int cli_scanpe(cli_ctx *ctx)
|
984
|
984
|
cli_append_virus(ctx, virname);
|
985
|
985
|
if(cli_hm_scan(md5_dig, fsize, NULL, ctx->engine->hm_fp, CLI_HASH_MD5) != CL_VIRUS) {
|
986
|
986
|
if (!SCAN_ALL) {
|
|
987
|
+ cli_dbgmsg("------------------------------------\n");
|
987
|
988
|
free(section_hdr);
|
988
|
989
|
free(exe_sections);
|
989
|
990
|
return CL_VIRUS;
|
...
|
...
|
@@ -995,6 +1000,8 @@ int cli_scanpe(cli_ctx *ctx)
|
995
|
995
|
|
996
|
996
|
}
|
997
|
997
|
|
|
998
|
+ cli_dbgmsg("------------------------------------\n");
|
|
999
|
+
|
998
|
1000
|
if (exe_sections[i].urva>>31 || exe_sections[i].uvsz>>31 || (exe_sections[i].rsz && exe_sections[i].uraw>>31) || exe_sections[i].ursz>>31) {
|
999
|
1001
|
cli_dbgmsg("Found PE values with sign bit set\n");
|
1000
|
1002
|
free(section_hdr);
|